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Abstract 

For an odd prime p and each non-empty subset S C GF(p), con- 
sider the hyperelliptic curve Xs defined by y 2 — fs(x), where fs(%) = 
ri agS (s: — a). Using a connection between binary quadratic residue codes 
and hyperelliptic curves over GF(p), this paper investigates how coding 
theory bounds give rise to bounds such as the following example: for all 
sufficiently large primes p there exists a subset S C GF(p) for which 
the bound \Xs(GF(p))\ > 1.39p holds. We also use the quasi-quadratic 
residue codes defined below to construct an example of a formally self- 
dual optimal code whose zeta function does not satisfy the "Riemann 
hypothesis." 

A long standing problem has been to develop "good" binary linear codes to 
be used for error-correction. This paper investigates in some detail an attack 
on this problem using a connection between quadratic residue codes and hy- 
perelliptic curves. Codes with this kind of relationship have been investigated 
in Helleseth [H], Bazzi-Mitter [EH], Voloch [Vl], and Helleseth-Voloch [HV] . 
This rest of this introduction is devoted to explaining in more detail the ideas 
discussed in later sections. 

Let F = GF(2) be the field with two elements and CcF" denote a binary 
block code of length n. For any two x, y G F™, let d(x, y) denote the Hamming 
metric: 

d( Xl y) = \{l<i<n\x l ^y l }\. (1) 

The weight wt(x) of x is the number of non-zero entries of x. The smallest 
weight of any non-zero codeword is denoted d - the minimum distance if C 
is linear. When C is linear, denote the dimension of C by k and call C an 
[n, fc, d]2-code. 

Denoting the volume of a Hamming sphere of radius r in F™ by V(n,r), 
the binary version of the Gilbert- Varshamov bound asserts that (given n and d) 
there is an [n, k, c?] 2 code C satisfying k > log 2 ( V (nd~i) ) EH- 

Conjecture 1 (Goppa's conjecture UVlj .fG ^ ) The binary version of the Gilbert- 
Varshamov bound is asymptotically exact. 
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For each odd prime p > 5, a QQR codeQ is a linear code of length 2p. Like 
the quadratic residue codes, the length and dimension are easy to determine but 
the minimum distance is more mysterious. In fact, the weight of each codeword 
can be explicitly computed in terms of the number of solutions in integers mod 
p to a certain type of ( "hyperelliptic" ) polynomial equation. To explain the 
results better, some more notation is needed. 

For our purposes, a hyperelliptic curve X over GF(p) is a polynomial equa- 
tion of the form y 2 — h(x), where h(x) is a polynomial with coefficients in 
GF(p) with distinct rootfl The number of solutions to y 2 — h(x) mod p, plus 
the number of "points at infinity" on X, will be denoted \X(GF(p))\. This 
quantity can be related to a sum of Legendre characters (see Proposition Q] be- 
low), thanks to classical work of Artin, Hasse, and Weil. This formula yields 
good estimates for \X(GF(p))\ in many cases (especially when p is large com- 
pared to the degree of h) . A long-standing problem has been to improve on the 
trivial estimate when p is small compared to the degree of h. It turns out the 
work of Tarnanen [T] easily yields some non-trivial information on this problem 
(see for example Lemma |3] below), but the results given here improve upon this. 

For each non-empty subset S C GF(p), consider the hyperelliptic curve 
Xg defined by y 2 = fs(x), where fs(%) — Y\ a£ s( x ~ a )- Let B(c,p) be the 
statement: For all subsets S C GF(p), \X s (GF(p))\ < c-p holds. Note that 
B(2,p) is trivially true, so the statement B(2 — e,p), for some fixed e > 0, might 
not be horribly unreasonable. 

Conjecture 2 ("Bazzi-Mitter conjecture" JEMj) There is ac £ (0, 2) such that, 
for an infinite number of primes p the statement B(c,p) holds. 

It is remarkable that these two conjectures are related. In fact, using QQR 
codes we show that if, for an infinite number of primes p with p = 1 (mod 4) , 
.8(1.77, p) holds then Goppa's conjecture is false. Although this is a new result, 
it turns out that it is an easy consequence of the QQR construction given in |BM| 
if you think about things in the right way. Using LQR code^l we will remove 
the condition p = 1 (mod 4) at a cost of slightly weakening the constant 1.77 
(see Corollary 13]). 

The spectrum and Duursma zeta function of these QQR codes is discussed 
in Section [3] below and some examples are given (with the help of the software 
package SAGE [Sj). We show that the analog of the Riemann hypothesis for the 
zeta function of an optimal formally self-dual code is false using the family of 
codes constructed in §2. The section ends with some intriguing conjectures. 

We close this introduction with a few open questions which, on the basis of 
this result, seem natural. 

1 This code is defined in J2] below. 

2 This overly simplistic definition brings to mind the famous Felix Klein quote: "Everyone 
knows what a curve is, until he has studied enough mathematics to become confused through 
the countless number of possible exceptions." Please see Tsafsman-Vladut [TVl or Schmidt 
Sc for a rigorous treatment. 

3 These codes will be defined in ij4] below. 
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Question 1: For each prime p > 5 is there an effectively computable subset 
S C GF(p) such that \X s (GF(p))\ is "large"? 

Here "large" is left vague but what is intended is some quantity which is 
unusual. By Weil's estimate (valid for "small" -sized subsets S), we could expect 
about p points to belong to \Xs(GF(p))\. Thus "large" could mean, say, > c-p, 
for some fixed c > 1. 

The next question is a strong version of the Bazzi-Mitter conjecture. 

Question 2: Does there exist a c < 2 such that, for all sufficiently large p 
and all S C GF{p), we have \X s {GF{p))\ <c-pl 

In the direction of these questions, for Question 1, a coding theory bound of 
McEliese-Rumsey-Rodemich- Welsh allows one to establish the following result 
(see Theorem [3]) : There exists a constant po having the following property: if 
p = 1 (mod 4) and p > po then there exists a subset S C GF{p) for which the 
bound \X s {GF{p))\ > 1.62p hold& 

Unfortunately, the method of proof gives 
no clue how to compute po or S. Using the theory of long quadratic-residue 
codes, we prove the following lower bound (Theorem [5]) : For all p > po there 
exists a subset S C GF(p) for which the bound \X s (GF(p))\ > 1.39p holds. 
Again, we do not know what po or S is. 

Finally, Felipe Voloch |V2j has kindly allowed the author to include some in- 
teresting explicit constructions (which do not use any theory of error-correcting 
codes) in this paper (see $5] below). First, he shows the following result: // 
p = 1 (mod 8) then there exists an effectively computable subset S C GF(p) for 
which the bound \Xs(GF(p))\ > 1.5p holds. A similar result holds for p = 3,7 
(mod 8). Second, he gives a construction which answers Question 2 in the neg- 
ative. 

1 Cyclotomic arithmetic mod 2 

Let R = ¥[x]/ (x p — 1) and rs <E R denotes the polynomial 

r s(x) = ^2,x\ 

where S C GF(p). By convention, if S = is the empty set, r§ = 0. We 
define the weight of rg, denoted wt(r5), to be the cardinality \S\. (In other 
words, identify in the obvious way each rs with an element of F p and define the 
weight of rs to be the Hamming weight of the associated vector.). For the set 
Q of quadratic residues in GF{p) x and the set N of non-quadratic residues in 
GF(p) x , we have wt(rg) = wt(rjv) — (p — l)/2. Note that r| = r2S, where 2S 
is the set of elements 2s € GF(p), for s £ S. Using this fact and the quadratic 
reciprocity law, one can easily show that the following are equivalent: 

• r Q = r Qi 

• 2 e Q 

4 Moreover, we can remove the hypothesis p = 1 (mod 4) if we assume Conjecture \3\ 
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• p = ±1 (mod 8). 

Moreover, if 2 e TV then Tq — r^. 

Let S,S 1 ,S 2 ,S' 1 denote subsets of GF(p), with S 1 C\S' 1 = <D, and let S° = 
GF(p) — S denote the complement. For a <G GF(p) 1 let 

H(Si,S 2 ,a) = {(si,s 2 ) € Si x S 2 | si + s 2 = a (mod p)}. 
In particular, 

. H(S 1 ,S 2 ,a) = H(S 2 ,S 1 ,a), 

• there is a natural bijection H(GF(p), S, a) = S, 

• if Si r\S[ = then H(S u S 2 ,a) + H(S' 1 ,S 2 ,a) = H(Si + S' 1 ,S 2 ,a). 

Let 

h(S 1 ,S 2 ,a) = \H(S 1 ,S 2 ,a)\ (mod 2). 

Adding |H(5i,S 2 ,o)| + |H(5J,S 2 ,o)| = |S 2 | to |ff(Sf, S 2 C , o)| + |i/(^ c , S 2 , o)| = 
liSf |, we obtain 

/i(Si,S 2 ,a) = MSi,S 2 c ,a) + |Si c | + |S 2 | (mod 2). (2) 
From the definition of rs, 

rst (x)r S2 (x) = h(S 1 ,S 2 ,a)x a 

aeGF(p) 

in the ring R. Let * : R — > R denote the involution defined by (rs)* = rs? = 
r s + r GF( P )- We shall see below that this is not an algebra involution. 

Lemma 1 For all S\,S 2 C GF(p), we have 

• | Si | odd, \S 2 \ even: rs t rs 2 = r* s r* s has even weight. 

• | S± | even, \S 2 \ even: (t'SiTSs.)* = r Si r s 2 ^ as even weight. 

• even, \S 2 \ odd: r$ 1 rs 2 — r Si r S2 ^ as even we wht. 

• \Si\ odd, \S 2 \ odd: {rs 1 rs 2 )* ~ r Si r S2 ^ as we -ight. 

This lemma follows from the discussion above by a straightforward argument. 
Note that R eV en = {rs I |S| even}, is a subring of R and, by the previous 
lemma, * is an algebra involution on R even . 
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2 QQR Codes 



These are some observations on the interesting paper by Bazzi and Mitter jBM) . 
We shall need to remove the assumption p = 3 (mod 8) (which they make in 
their paper) below. 

If S C GF(p), let f s (x) = i\ aes (x - o) G GF(p)[x}. Let x = ( 5 ) be the 
quadratic residue character, which is 1 on the quadratic residues Q C GF(p) x , 
— 1 on the quadratic non-residues N C GF(p) x , and is at € GF{p). 

Define 

CiVQ = {(rjvrs.rqrs) | 5 C 

where N, Q are as above. (We identify in the obvious way each pair {r^rs, tqTs) 
with an element of F 2p . In particular, when S is the empty set, (rjyrs, tqts) 
is associated with the the zero vector in F 2p .) We call this a QQR code (or a 
quasi- quadratic residue code). These are binary linear codes of length 2p and 
dimension 

k _ ( p, if p = 3 (mod 4), 
\p—l, \fp=l (mod 4). 

This code has no codewords of odd weight, for parity reasons, by Lemma [T] 

Remark 1 If p = ±1 (mod 8) then Cnq "contains" a binary quadratic residue 
code. For such primes p, the minimum distance satisfies the well-known square- 
root lower bound, d > ^Jp. 

Based on computations using SAGE, the following statement is likely to be 
true. 

Conjecture 3 For p = 1 (mod 4), the associated QQR code and its dual sat- 
isfy: Cnq®C^q = ¥ 2p , where © stands for the direct product (so, in particular, 
Cnq^C^q = {0} ). If p = 3 (mod 4) then the associated QQR code is self-dual: 
C nq = C nq ■ 

The self-dual binary codes have useful upper bounds on their minimum dis- 
tance (for example, the Sloane-Mallows bound Theorem 9.3.5 in [HP] ) . Com- 
bining this with the lower bound mentioned above, we have the following result. 

Lemma 2 Assume Conjecture^ If p=3 (mod 4) then 

d < 4 • [p/12] + 6. 

If p= —1 (mod 8) then 

VP < d < 4 • [p/12] + 6. 

Note that these upper bounds (in the cases they are valid) are better than 
the asymptotic bounds of McEliese-Rumsey-Rodemich- Welsh for rate 1/2 codes. 
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Example 1 The following computations were done with the help o/SAGE. When 
p = 5, Cjvq has weight distribution 

[1,0,0,0,5,0,10,0,0,0,0]. 

When p = 7, Cnq has weight distribution 

[1, 0, 0, 0, 14, 0, 49, 0, 49, 0, 14, 0, 0, 0, 1] . 

When p = 11, Cjvq has weight distribution 

[1, 0, 0, 0, 0, 0, 77, 0, 330, 0, 616, 0, 616, 0, 330, 0, 77, 0, 0, 0, 0, 0, 1] . 

When p = 13, Cnq has weight distribution 

[1, 0, 0, 0, 0, 0, 0, 0, 273, 0, 598, 0, 1105, 0, 1300, 0, 598, 0, 182, 0, 39, 0, 0, 0, 0, 0, 0]. 

The following well-known r esuli0 shall be used to estimate the weights of 
codewords of QQR codes. 

Proposition 1 (Artin, Hasse, Weil) Assume S C GF(p) is non-empty. 

• \S\ even: 

E x(fs(a)) = - P -2+\X s (GF(p))\. 

a<EGF(p) 

• 1 5*1 odd: 

E x(fs(a)) = - P -l + \X s (GF(p))\. 

a<EGF(p) 

• \S\ odd: The genus of the (smooth projective model of the) curve y 2 = 
fs(x) is g = 1 anal 

| E X(fs(a))\ <(|S|-iy/a + i. 

aGGF(p) 

• 15*1 even: The genus of the (smooth projective model of the) curve y 2 = 
fs(x) is g — 2 2 and 

| E x(fs(a))\<(\S\~2)p^ 2 + l. 

aGGF(p) 

Obviously, the last two estimates are only non-trivial for S "small" (e.g., 
\S\<P 1 ' 2 ). 

5 See for example Weil [W] or Schmidt [Sc], Lemma 2.11.2. 
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Lemma 3 (Tarnanen fT] , Theorem 1) Fix r, 0.39 < t < 1. For all sufficiently 
large p, the following statement is false: For all subsets S C GF(j>) with \S\ < 
rp, we have 0.42p < \X s (GF(p))\ < lA2p. 

Remark 2 (1) Here the meaning of "sufficiently large" is hard to make precise. 
The results of Tarnanen are actually asymptotic (as p — > oo^, so we can simply 
say that the negation of part (1) of this Lemma contradicts Theorem 1 in FT] /. 
(2) This Lemma does not seem to imply "B(lA2,p) is false, for sufficiently 
large p" (so Theorem^ below is a new result), though it would if the condition 
0A2p < \Xs(GF(p))\ could be eliminated. Also of interest is the statement about 
character sums in Theorem 1 of Stepanov ISty . 

Proof: This is an immediate consequence of the Proposition above and The- 
orem 1 in UJ. □ 

Lemma 4 (Bazzi-Mitter [BM], Proposition 3.3) Assume 2 and —1 are quadratic 
non-residues mod p (i.e. p = 3 (mod 8)). 

If c = (rNrs,rQrs) is a nonzero codeword of the [2p,p] binary code Cnq 
then the weight of this codeword can be expressed in terms of a character sum 
as 

wt(c)=p- X(fs(a)), 

aEGF(p) 

if \S\ is even, and 

wt(c)=p+ x(fs-(aj), 

a£GF(p) 

if \S\ is odd. 

In fact, looking carefully at their proof, one finds the following result. 
Proposition 2 Let c = {rNrs,rQrs) be a nonzero codeword of Cnq. 

(a) If \S\ is even 

wt(c)=p- Y x(fs(a)) = 2p + 2-\X s (GF(p))\. 

a£GF(p) 

(b) If \S\ is odd and p = 1 (mod 4) then the weight is 

wt(c)=p- x(fs«(a))=2p + 2-\X S c{GF(p))\. 

aEGF(p) 

(c) If \S\ is odd and p = 3 (mod 4) then 

wt(c)=p+ Y x(fs*(a)) = \X S c(GF(p))\-2. 

aeGF(p) 
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Proof: If A, B C GF(p) then the discussion in SJT] implies 

wt(r A r B )= J2 parity |An(fc-B)|, (3) 

k£GF(p) 

where — B = {k — 6 | 6 G £?} and parity(x) = 1 if a; is an odd integer, and = 
otherwise. Let S C GF(p), then we have 

p-wt(r Q r s ) -wt (r^rs) = ^ (l- parity |Qn(a-5)|- parity |JVn(a-S)|). 

a£GF(p) 

Let 

T a (5) = l- parity \Q n (a - S)\ - parity |iV n (a - S)\. 

Case 1. If \S\ is even and a € 5 then £ a - S so |Q n (a - 5)| odd 
implies that |iV n (a — S)\ is even, since is not included in Q n (a — 5) or 
iV n (a - S). Likewise, \Q n (a - S)\ even implies that \N D (a - S)\ is odd. 
Therefore T a (S) = 0. 

Case 2. If IS" | is even and a g S then parity \QD (a- S)\ =paxity|JVn(a— 
If \Qf)(a-S)\ is even then T a (S) = 1 and if \Qn(a-S)\ is odd then T a (S) = -1. 

Case 3. |5| is odd. We claim that {a - S) c = a - S c . (Proof: Let s e S 
and s € S c . Then a — s = a — s s = s, which is obviously a contradiction. 
Therefore (a - S) n (a - S c ) = 0, so (a - S) c D (a - S c ). Replace S by S" c to 
prove the claim.) Also note that 

(Q n (a - S)) U (Q n (a - S c )) = GF{p) nQ = Q 
has |Q| = elements (U denotes disjoint union). So 

parity \Q n (a - S)\ = parity |Q n (a - S c )\ 
if and only if \Q\ is even and 

parity \Q n (a - S 1 )! 7^ parity |Q n (a - 5 C )| 

if and only if and only if \Q\ is odd. 
Conclusion. 

|5|even: T a (S) = J] 

KEa— S 

|5| odd and p ee 3 (mod 4) : T a (S) = ~T a (S c ) 

\S\ odd and p = 1 (mod 4) : T a (5) = T a (S c ) 

The relation between wt(c) and the character sum follows from this. For the 
remaining part of the equation, use Proposition [TJ □ 
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Remark 3 It can be shown, using the coding-theoretic results above, that if 
p = — 1 (mod 8) then (for non-empty S) Xs(GF(p)) contains at least ^fp + 1 
points. This also follows from Weil's estimate, but since the proof is short, it is 
given here. 

What part (c) of Proposition^ gives is that if p = — 1 (mod 8) and \S\ is 
odd then Xs{GF{p)) contains at least y/p+2 points. If \S\ is even then perform 
the substitution x = a + l/x, y = y/x^ s ^ on the equation y 2 = fs(x). This 
creates a hyperelliptic curve X in (x,y) for which \X(GF(p))\ = \Xs(GF(p))\ 
and X = Xs', where \S'\ = 15*1 — 1 is odd. Now apply part (c) of the above 
proposition and Remark^ to Xgi. □ 

Remark 4 // |5| = 2 or \S\ = 3 then more can be said about the character 
sums above. 

If\S\ = 2 then ^2 a x(fs(a-)) can be computed explicitly (it is "usually" equal 
to —1 - see Proposition 1 in ]Wa]). If\S\ —3 then x(/s( a )) can be expressed 
in terms of a hypergeometric function 2F1 over GF{p) (see Proposition 2 in 

It has already been observed that the following fact is true. Since its proof 
using basic facts about hyperelliptic curves is so short, it is included here. 

Corollary 1 Cnq is an even weight code. 

Proof: Since p is odd 1 ^ — 1 in GF(p), so every afhne point in Xs(GF(p)) 
occurs as an element of a pair of solutions of y 2 = fs(x)- There are two 
points at infinity (if ramified, it is counted with multiplicity two), so in general 
\Xs(GF(p))\ is even. The formulas for the weight of a codeword in the above 
Proposition imply every codeword has even weight. □ 

As a consequence of this Proposition and Lemma [21 we have the following 
result. 

Corollary 2 Assume Conjecture^ Ifp= 3 (mod 4) thenm&xs \Xs(GF(p))\ > 
|p-4. 

Example 2 The following examples were computed with the help o/SAGE. 
Ifp = 11 and S = {1, 2, 3, 4} then 

(r s (x)r N (x),rs(x)r Q (x)) 
= (x 1Q + x 9 + x 7 + x 6 + x 5 + x A + x 2 + 1, x w + x 9 + x 7 + x 6 + x 5 + x 3 + x + 1), 

corresponds to the codeword (1, 0, 1, 0, 1, 1, 1, 1, 0, 1, 1, 1, 1, 0, 1, 0, 1, 1, 1, 0, 1, 1) of 
weight 16. An explicit computation shows that the character sum X)aeGF(n) x(/s( a )) 
is —5, as expected. 

Ifp = 11 and S = {1,2,3} then 

(r s (x)r N (x), r s {x)r Q (x)) = (x 9 +x 7 +x 5 +x 4 +x 3 +x 2 +x, x 1Q +x s +x 6 +x 3 +x 2 +x+l). 
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corresponds to the codeword (0, 1, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 1, 1, 1, 0, 0, 1, 0, 1, 0, 1) of 
weight 14. An explicit computation shows that the character sum X) a eGF(ii) x(fs a 
is 3, as predicted. 

Recall B(c,p) is the statement: \X s (GF(p))\ < c ■ p for all S C GF(p). 

Theorem 1 (Bazzi-Mitter) Fix c £ (0,2). If B(c,p) holds for infinitely many 
p with p = 1 (mod 4) then there exists an infinite family of binary codes with 
asymptotic rate R = 1/2 and relative distance 5 > 1 — |. 

This is an easy consequence of the above Proposition and is essentially in 
|BM] (though they assume p = 3 (mod 8)). 

Theorem 2 If B(1.77,p) is true for infinitely many primes p with p = 1 
(mod 4) then Goppa's conjecture is false. 

Proof: Recall Goppa's conjecture is that the binary asymptotic Gilbert- 
Varshamov bound is best possible for any family of binary codes. The asymp- 
totic GV bound states that the rate R is greater than or equal to 1 — H2(S), 
where 

H q {5) = 8 ■ \og q (q - 1) -6\og q (S) -(1-5) \og q (l - S) 

is the entropy function (for a g-ary channel). Therefore, according to Goppa's 
conjecture, if R = k (and q = 2) then the best possible § is Sq = .11. Assume 
p = 1 (mod 4). Goppa's conjecture implies that the minimum distance of our 
QQR code with rate R = \ satisfies d < So ■ 2p = .22p, for sufficiently large p. 
Recall that the weight of a codeword in this QQR code is given by Proposition^ 
£(1.77, p) (withp= 1 (mod 4)) implies (for all S C GF(p)) wt((r s r N ,r s r Q )) > 
2p - \Xs(GF(p))\ > 0.23p. In other words, for p = 1 (mod 4), all nonzero 
codewords have weight at least 0.23p. This contradicts the estimate above. □ 

Using the same argument and the first McEliese-Rumsey-Rodemich- Welsh 
(MRRW) bound ( [HP] , Theorem 2.10.6), we prove the following unconditional 
result. 

Theorem 3 For all sufficiently large primes p for which p = 1 (mod 4), the 
statement B (1.62, p) is false. 

Proof: If a prime p satisfies B(1.62,p) then we shall call it "admissible." We 
show that the statement "i?(1.62,p) holds for all sufficiently large primes p for 
which p = 1 (mod 4)" contradicts the first asymptotic MRRW bound. Indeed, 
this MRRW bound states that the rate R is less than or equal to 



h(S) = H 2 (- y/S0^S)). 

This, and the fact that R = | for our QQR codes (with p = 1 (mod 4)), imply 
5 < So = h~ 1 (l/2) = 0.187. Therefore, for all large p (admissible or not), 
d < So ■ 2p. On the other hand, if p is admissible and \Xs(GF(p))\ < c-p (where 
c = 1.62) then by the above argument, d > 2 ■ (p — |p). Together, we obtain 
1 - f < S , so c > 2 • (1 - h- 1 (l/2)) ^ 1.626. This is a contradiction. □ 
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Corollary 3 Assume Conjecture^ There is a constant po (ineffectively com- 
putable) having the following property: if p > po then there is a subset S C 
GF(p) for which the bound \X s (GF(p))\ > 1.62p holds. 

This is of course the same as the above theorem, except that we have used 
Corollary [2] (which unfortunately depends on Conjecture [3]) to remove the hy- 
pothesis p=l (mod 4). 



3 Weight distributions 



In |D1| Iwan Duursma associates to a linear code C over GF(q) a zeta function 
Z = Zc of the form 

Z(T) = P ^ 



(l-T)(l-qTY 

where P(T) is a polynomial of degree n + 2 — d — d ± which only depends on 
C through its weight enumerator polynomial (here d is the minimum distance 
of C and is the minimum distance of its dual code C' 1 ; we assume d > 2 
and d ± > 2). If 7 = 7 (C) = n + k + 1 - d and z c (T) = Z c {T)T x ~"i then the 
functional equation in [Dlj can be written in the form z c ±(T) = zc(l/qT). If 
we let (c(s) = Zc{q~ s ) and £c(s) = z c(q~ s ) then £c and £c have the same 
zeros but £c is "more symmetric" since the functional equation expressed in 
terms of it becomes 



fc-L (*) = &(!-*). 

Abusing terminology we call both Zc and a Duursma zeta function. In 
fact, if pi denotes the i-th zero of the zeta function Z(T) of an actual code 
then equations (5)-(6) of |D2j implies (for the even weight binary codes we are 
considering here) the relation 

i 

Therefore, further knowledge of the zeros of Z(T) could be very useful. 

If C is self-dual (or actually only formally self-dual) then the zeros of the £- 
function occur in pairs about the "critical line" Re(s) — \ . Following Duursma, 
we say (for formally self-dual codes C) the zeta function satisfies the Riemann 
hypothesis if all its zeros occur on the "critical line" . 

Example 3 The following computations were done with the help of SAGE. // 
p = 7 then the [14, 7,4] (self-dual) code Cnq has "zeta polynomial" 

2 4 19 , 28 , 40 , 56 , 76 fi 32 - 32 8 

P(T) = 1 T+ T H T H T H T H T -\ T -\ T 8 . 

v ' 143 143 429 429 429 429 429 143 143 

It can be checked that all the roots p of Zc have \p\ = l/y/2, thus verifying the 
Riemann hypothesis in this case. 
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It would be interesting to know if the Duursma zeta function Z(T) of Cnq, 
for p = 3 (mod 4), always satisfies the Riemann hypothesis. 

A self-dual code is called extremal if its minimum distance satisfies the 
Sloane-Mallows bound |D3| and optimal if its minimum distance is maximal 
among all such linear codes of that length and dimension (see also Chinen [Chi] , 
|Ch2] ). As noted above, the Duursma zeta function only depends on the weight 
enumerator. It has been conjectured that, for all extremal self-dual codes C, 
the ^-function satisfies the Riemann hypothesis. The example below shows that 
"extremal self-dual" cannot be replaced by "optimal formally self-dual" . 

Based on computer computations using SAGE, the following statement ap- 
pears to be true, though we have no proof. 

Conjecture 4 If p = 1 (mod 4) then the code C spanned by Cnq and the all 
ones codeword (i.e., the smallest code containing Cnq and all its complementary 
codewords) is a formally self-dual code of dimension p. Moreover, we if A = 
[Aq, Ai, A n ] denotes the weight distribution vector of Cnq then the weight 
distribution vector of C is A + A* , where A* = [A n , A\, Ao]. 

Using SAGE, it can be shown that the Riemann hypothesis is not valid for 
these "extended QQR codes" in general, as the following example illustrates. 

Example 4 If p = 13 then C is a [26, 13,6] code with weight distribution 



[1,0, 0, 0, 0, 0, 39, 0, 455, 0, 1196, 0, 2405, 0, 2405, 0, 1196, 0, 455, 0, 39, 0, 0, 0, 0, 0, 1]. 

This is (by coding theory tables, as included in SAGE 'Ey) an optimal, formally 
self-dual code. This code C has zeta polynomial 

P(T\ = 3 4- 6 T 4- 611 rp2 I 9 rp3 , 3441 rpj , 6448 rp5 , 44499 ^6 
{ ' EM ^7 8 f 5 66353 3 ^ 6 8 49 ? 2 2 5 39 2 ^ , » , 5« + 1634380 J 

l^m T 12 .Ws 1 » 5 T 14 T «15 , 1«r 
408595 2185 168245 ~^ 8855 ' 8855 

Using SAGE, it can be checked that only 8 of the 12 zeros of this function have 
absolute value l/v2- 

4 Long Quadratic Residue Codes 

We now introduce a new code, constructed similarly to the QQR codes discussed 
above: 

C = {(rNrs,rQrs,r N r* s ,r Q r* s ) | S C GF(p)}. 

We call this a long quadratic residue code or LQR code for short, and identify 
it with a subset of F 4p . Observe that this code is non-linear. 
For any S C GF(p), let 
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and let 



c S = (rNrs,r Q r S7 r N r* s ,r Q r* s ) 



vs = (rNrs,rQr s ,r N r s ,r Q r s ). 

If S1AS2 denotes the symmetric difference between Si and S2 then it is easy to 
check that 

CSi +cs 2 = v Si as 2 - ( 4 ) 

We now compute the size of C using Lemma [TJ We prove the claim: if p = 3 
(mod 4) then the map that sends S to the codeword C5 is injective. This implies 
|C| = 2 P . Suppose not, then there are two subsets Si, S2 Q GF(p) that are 
mapped to the same codeword. Subtracting — cg 2 = cs 1 + cs 2 = vs 1 as 2 , 
and the subset T = S1AS2 satisfies tqtt = tntt = tqtt" = r^rr? = 0. If |T| 
is even then = (Yq + rj^)ri = (t*gf(p) — l) r T = tt- This forces T to be the 
empty set, so Si = S2. Now if |T| is odd then similar reasoning implies that T c 
is the empty set. Therefore, Si = and S2 = GF{p) or vice versa. This proves 
the claim. 

In case p = 1 (mod 4), we claim: \C\ = 2 P_1 . Again, suppose there are 
two subsets Si, S2 C GF(p) that are mapped to the same codeword. Then the 
subset T = S1AS2 satisfies tqtt = rjyrx = tqtt^ = r^rx" = 0. This implies 
either T = or T = GF{p). Therefore, either Si = S 2 or Si = Si 

Combining this discussion with Proposition [U we have proven the following 
result. 

Theorem 4 The code C has length n — Ap and has size M = 2 P ~ 1 if p = 1 
(mod 4), and size M — 2 P if p = 3 (mod 4). If p = 3 (mod 4) then the 
minimum non-zero weight is 2p and the minimum distance is at least 

d v = Ap-2 max \X s (GF(p))\. 

SCGF(p) 

If p = 1 (mod 4) then C is a binary [Ap,p — 1, d p ]-code. 

Remark 5 If p = 3 (mod 4), there is no simple reason I can think of why the 
minimum distance should actually be less than the minimum non-zero weight. 

Lemma 5 If p = 1 (mod 4) then 

• vs = cs, 

• C Sl + C S2 = C Sl AS 2 , 

• the code C is isomorphic to the QQR code Cnq- 
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In particular, C is linear and of dimension p — 1. 

Proof: It follows from the the proof of Theorem [4] that if p = 1 (mod 4) 
then r^jrs 1 = r^rs 2 and tqts 1 = rQr$ 2 if and only if S2 = Sf. The lemma 
follows rather easily as a consquence of this and ((H). □ 

Assume p = 3 (mod 4). Let 

V = {v s I 5 C GF(p)} 

and let 

C = CUV. 

Lemma 6 The code C is 

• the smallest linear subcode o/F 4p containing C, 

• dimension p + 1, 

• minimum distance min(d p ,2p). 

By abuse of terminology, we call C an LQi? code. 

Proof: The first part follows from ([JJ. The second part follows from a 
counting argument (as in the proof of Theorem [4]). The third part is a corollary 
of Theorem |U □ 

Recall that 



P-ZaeGFirti^f 1 ), \S\ even (any p), 
wt(r N r s , r Q r s ) = { p - J2aeGF( P ) > \ S \ odd and P = 1 ( mod 4 )' 

P + Lecfw hr 1 ■ |S|oddandp^3 (mod 4), 



by Proposition [21 



Lemma 7 For eacft p, the codeword c$ = (nvrs, tqts, r^vr^, rQTij) of C has 
weight 



wt(cs) 



2p-2Ea 6G F( P )( / f ii ), P=l (mod 4), 
2p, p = 3 (mod 4). 



In other words, if p = 3 (mod 4) then C is a constant weight code. 
Proof: Indeed, Proposition [2] implies if p = 1 (mod 4) then 



wt(r N rs,r Q rs,r N rg,r Q r* s ) = wt (r N r s , r Q r s ) + wt (rjyrj, r Q r£) 

= 2 • wt (r N r s ,r Q rs) ( 5 ) 

= 2p - 2 SaGGF(p) (^p^) ' 
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if p = 3 (mod 4) and \S\ is even then 



Wt (r N rs,rQr s ,r N r* s ,r Q r* s ) = wt (r N r s ,r Q r s ) + wt (r N r* s ,r Q r* s ) 

= P~ Z)aeGF(p) (^^) +P + SaeGF(p) 
= 2p, 

(6) 

and if p = 3 (mod 4) and |5| is odd then 



wt(rNrs,rQr s ,r N r* s> r Q r* s ) = wt (r^rs, r Q r s ) + wt (rjvr£, r Q r* s ) 

= P + ^2aeGF(p) +P _ SaeGF(p) (f^J 

= 2p. 

(7) 

□ 

Example 5 The following examples were computed with the help o/SAGE. When 
p = 11 and 5 = {1, 2, 3, 4}, eg corresponds to the codeword 

(0, 1, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 1, 1, 1, 0, 0, 1, 0, 1, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 0, 1, 1, 0, 1, 0, 1, 0) 
of weight 22. When p = 11 and S = {1, 2, 3}, cs corresponds to the codeword 



(1, 0, 1, 0, 1, 1, 1, 1, 0, 1, 1, 1, 1, 0, 1, 0, 1, 1, 1, 0, 1, 1, 0, 1, 0, 1, 0, 0, 0, 0, 1, 0, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0) 
of weight 22. 

It turns out Lemma [6] allows us to improve the statement of Theorem [2] in 
Sj2] The next subsection is devoted to this goal. 

4.1 Goppa's conjecture revisited 

We shall now remove the condition p = 1 (mod 4) in one of the results in fj^l 
at a cost of weakening the constant involved. 

Assuming B(c,p) holds, we have that the minimum distance of C is > 
min(e?p, 2p) > 4p(l — |) and the information rate is R = j + j-- When R = 1/4, 
Goppa's conjecture gives 6 = 0.214... . So Goppa's conjecture will be false if 
1 — | =0.215, or c = 1.57. We have the following improvement of Theorem [2j 

Theorem 5 If the £>(1.57,p) is true for infinitely many primes p then Goppa's 
conjecture is false. 

A similar argument (using h(x) and the MRRW bound in place of 1 — H%{x) 
and the hypothetical Goppa bound) gives 

Theorem 6 £>(1.39,p) cannot be true for infinitely many primes p. In other 
words, for all "sufficiently large" p, we must have Xs{GF(p)) > 1.39p for some 
S cGF{p). 
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5 Some results of Voloch 



Lemma 8 (Voloch) If p = 1,3 (mod 8) then \X Q (GF(p))\ = 1.5p + a, where 
Q is the set of quadratic residues and a is a small constant, — i < a < | . 

A similar bound holds if Xq is replaced by Xm and p = 1,3 (mod 8) is 
replaced by p = 7 (mod 8) (in which case 2 is a quadratic residue) . 

Proof: By Proposition [TJ we know that if p = 3 (mod 8) (so \Q\ is odd): 
E x(f Q (a)) = -p-l + \X Q (GF(p))\. 

a<EGF(p) 

Similarly, if p = 1 (mod 8) (so \Q\ is even): 

E x(fQ(a)) = - P -2+\X Q (GF(p))\. 

a<EGF(p) 

p— l 

Since b~^~ = x(6) (mod p), we have 

- 1 = Y[ (x - a) = /q(x), x^ + 1 = Y[ ( x ~ a )- 

aeQ a£N 

In particular, for all n 6 iV, 

/q( 71 ) = — a) = n^^- — 1 = —2 (mod p). 

Since p = 1,3 (mod 8), we have %(— 2) = 1, so x(/q(«)) = 1 for all n e 
AT. It follows that \X Q {GF(p))\ = |p + x(/q(0)) + 5 (if p = 3 (mod 8)) or 
|X Q (GF(p))| = |p + x(/o(0)) + | (ifp=l (mod8)). □ 

Here is an extension of the idea in the above proof. Fix an integer £ > 2. 
Assuming £ divides p— 1, there are distinct £-th roots r\ = 1, T2, Tt in GF(p) 

for which x^ 1 -1 = IlLiC 2 ^ ~ r i)- Also i ~ 1 = ILeF^"") = fe^i 
where Pf denotes the set of non-zero f-th powers in GF(p). 

Claim: It is possible to find an infinite sequence of primes p satisfying p = 1 
(mod £) and x( r i — 1) = 1, for all 2 < i < I (where x denotes the Legendre 
character mod p). If the claim is true then we will have a lower bound for 
\Xp t [GF{p))\ on the order of (2 — j)p, along the lines above, by Proposition [TJ 

Proof of claim: It is a well-known fact in algebraic number theory that p = 1 
(mod £) implies that the prime p splits completely in the cyclotomic field 
generated by the £-th roots of unity in C, denoted fi = 1, f2, rg. The 
condition x{ r i ~ 1) = 1 means that p splits in the extension of Qi obtained by 
adjoining y/fi — 1 (here i = 2, ...,£). By Chebotarev's density theorem there 
exist infinitely many such p, as claimed. □ 

In fact, there are effective versions which give explicit information on com- 
puting such p [LOj . [Se] , This, together with the previous lemma, proves the 
following result. 
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Theorem 7 (Voloch) If £ > 2 is any /lied integer then for infinitely many 
primes p there exists a subset S C GF{p) for which \Xs(GF(p))\ — (2 — j)p + a, 
where a is a small constant, — ^ < a < | . 

In fact, the primes occurs with a positive (Dirichlet) density and the set S 
can be effectively constructed. 
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